Results 1 to 12 of 12
  1. #1

    DoS or DDos attacks prevention

    my server has been continuously attacked my Dos and DDos attacks that is why my hosting company(Hostcentric) saying. and that is making them shutdown my system again and again..

    I do not have much knowledge about these attacks so kindly help me how to prevent these.
    How do I find what sort of attacks are these and what firewall should I install to get rid of them..

    Here is what server ppl told me::
    >Outbound UDP FLood from D9024 I have unplugged D9024 from the network. It will stay off until 8pm tonight. Here is a sample of the flood that was occuring. (It came from a high, unpriveleged port).
    >
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 16634 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 34124 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 46797 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 61447 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 25606 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 48586 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 13605 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 24248 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 62153 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 8577 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 45818 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 6461 46 (368bps 0%)


    Please help me figure out from which port these attacks are arising..
    and hot to preven them

  2. #2
    Join Date
    Oct 2004
    Posts
    133
    This seems to me that it is internal attack from inside Hostcentric.
    For instance another server with account(s) which was hacked.
    The person that did that, uploaded flood tools and started to flood.
    Unfortunately Hostcentric are not famous with their good DDoS prevention network.
    In this case I can advise you only one - switch Data Centers.

    Another solution would be to buy a DDoS prevention device, which is anything but cheap.

  3. #3
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    748
    From the looks of it - it seems varunbihani's server at hostcentric is sending OUT UDP flood packets to the IP address (which happens to be in Spain). Unless I am reading it wrong.

    The sysadmin message says "Outbound UDP FLood from D9024"

    Most likely his system's been compromised and is now a hosts zombies for ddos.

    Faisal
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  4. #4
    Join Date
    May 2005
    Posts
    67
    I'm sure that there are people with strong convictions as to which device might be used to limit DDOS attacks, but we use Cisco PIX to protect our servers. If your server is small/low bandwidth, you could get away with a $400 Cisco PIX 501, however, I would recommend getting into atleast a 506E ($800)

  5. #5
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    748
    Putting a firewall in and turning the logging on, both on IN bound and OUT bound will tell you a lot about your problem. But like I said, I think your machine's infected/compromised as the initial readinds indicate an OUT bound UDP flood.
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  6. #6
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Why would he need a firewall, when HE is the one sending the attacks.

    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 16634 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 34124 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 46797 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 61447 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 25606 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 48586 92 (736bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 13605 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 24248 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 62153 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 8577 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 45818 46 (368bps 0%)
    >00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 6461 46 (368bps 0%)


    Just dns the ip in his signature. 209.25.178.53 is his server ip.

    varunbihani unless you can pay someone to fix your server, you will need resonable linux knowledge for people on here to help you.

    paste the output of the following

    Code:
    ps aux
    netstat -npl
    ls -al /tmp
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  7. #7
    Is this caused by some unwanted/malicious script/programe on my server?? how can nebody from outside the network do such things on my server.. I would like to know the root cause of this..

    My server ppl (hostcentric) are not willing to provide any help, whatsoever..
    What should I do now?? Shall I ask for a OS reload?? will that get rid of the attacks..

  8. #8
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    748
    Well the reasons could be many. Yes, someone from the outside can compromise your server - if it is not adequately secured. I suggest you get in touch with www.rack911.com - Steve and take on one of this security hardening pacthes, etc. Steve should be able to help you out in securing the box.
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  9. #9
    Join Date
    Aug 2004
    Location
    Karachi, Pakistan
    Posts
    748
    HostGeekZ by ptting a firewall in he can easily see what is traversing through his network, in this case he could simply have put a policy to deny UDP outbound on port 35349. He might or might not have access to the machine, but he can surely control what's coming and going to it. Its an added buffer (or luxury if that may be the case).
    "I drink too much. The last time I gave a urine sample it had an olive in it. ".
    Rodney Dangerfield (from "I Get No Respect!").

  10. #10
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Originally posted by Babushka99
    HostGeekZ by ptting a firewall in he can easily see what is traversing through his network, in this case he could simply have put a policy to deny UDP outbound on port 35349. He might or might not have access to the machine, but he can surely control what's coming and going to it. Its an added buffer (or luxury if that may be the case).
    Maybe you are not getting my point. Why on earth would you block the udp to that host?

    What is the point of that when the vulnrable scripts are still there, and then they can attack someone else.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  11. #11
    Hi all,

    I agree with HostGeekZ here, there would be no point putting a firewall in place at this point as the system has some script of some sort causing this OUTBOUND udp attack, I would suggest getting a Linux admin to take a look at you're server. If this is not possible please do as suggested above;

    run the commands;
    ps aux
    netstat -npl
    ls -al /tmp
    maybe install chkrootkit, and post the output of them all.
    Shared Hosting Reseller Hosting Domain Registration
    Free 24/7 support H-Sphere control panel
    www.GuardianServe.com
    sales@GuardianServe.com

  12. #12
    Join Date
    May 2005
    Posts
    67
    Originally posted by GuardianServe
    Hi all,

    I agree with HostGeekZ here, there would be no point putting a firewall in place at this point as the system has some script of some sort causing this OUTBOUND udp attack, I would suggest getting a Linux admin to take a look at you're server. If this is not possible please do as suggested above;

    run the commands;
    ps aux
    netstat -npl
    ls -al /tmp
    maybe install chkrootkit, and post the output of them all.
    A firewall is used to restrict incoming AND outgoing traffic. You paid for the whole thing, you might as well use it as it was intended.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •